CVE-2026-35449
WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.
| CWE | CWE-200 |
| Vendor | wwbn |
| Product | avideo |
| Published | Apr 6, 2026 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for wwbn avideo
Be the first to know when new medium vulnerabilities affecting wwbn avideo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
WWBN / AVideo
<= 26.0